Re: 02.2 Re: [Asrg] draft-irtf-asrg-bcp-blacklists-00 [_________]
2004-05-06 12:12:29
On 5/5/04 11:17 AM, Chris Lewis sent forth electrons to convey:
Matthew Elvey wrote:
On 5/4/04 9:28 AM, Chris Lewis sent forth electrons to convey:
I can think of a couple. Here's one: a blacklist entry that was
created solely on the existance of an open proxy, yet delisting
required that the system owner provided rDNS and postmaster
accessibility IN ADDITION to fixing the proxy. Desirable yes, but,
this goes beyond the BLs stated purpose, and unnecessarily conflates
anti-spam with non-spam issues. rDNS/postmaster were irrelevant to
the original listing, they should remain irrelevant to a subsequent
delisting.
That's not a valid example. If these additional requirements were
not in the BL's stated delisting, then this issue was covered in
2.1. "Truth in Advertising".
You _could_ do it that way. But this runs into a number of problems.
One of which being a crack to stick the wedge of impropriety in.
Believe me, it's best for the blacklist _owner_ to do whatever they
can that has the slightest whiff of ulterior motives. Ie: "pay me to
get out of the list". Which is either extortion or protection rackets
or both.
I strongly believe that any blacklist owner who does think through all
of the ramifications of "extra delisting requirements" will realize
it's in their best interests to avoid them. In a legal sense.
Objectivity and pinpoint accuracy is always to be preferred if there's
no compelling reason to do otherwise (ie: SPEWS being inherently and
deliberately subjective). Subjective isn't _wrong_, just
unnecessary-to-the-goal subjectivity is dangerous - to the blacklist
admin's legal liability - even if only a frivolous claim.
When I was Usenet despamming (for about 6 years), there were many
opportunities to do things like this. Some perfectly reasonable, some
not. And I've watched other de/anti spammers go through some of the
same temptations and the flamewars and worse that resulted. It's
simply never preferable to do anything that is even remotely close to
imposing something on the listee that benefits _you_, or isn't
directly related to the listing. That ONLY provides leverage for
legal action, justified or not.
Simply being on a list someone runs seems to provide all the leverage
for legal action any spammer has needed to sue. Having 2.2 seems like
barricading one door of a room with 3 open doors.
That's 10 years hard labour in the trenches (with at times an average
of one lawsuit threat per _day_) speaking.
I'd really like to hear more about this (off-list). Appreciate the
above info!
This recommendation serves to _lessen_ the BL owner's potential legal
problems, not the opposite.
2.3. Listing/Delisting Criteria MUST Be Easily Available.
Vagueness here is undesirable. Here's my specific text suggestion:
2.3 would benefit from the addition of sentences like: The precise
algorithms and data used for listing and delisting do not need to be
disclosed. Some criteria may be vaguely defined to slow down spammer
adaptation.
I think clarification of intent along that line would be a good idea.
2.6. MUST Have a Direct Non-Public Way to Request Removal.
I can't think of any benefit that 2.6 would provide. I claim that
any question re. SPEWS is likely going to be answered faster and
better via a nanae/nanabl posting.
For the most part you're perfectly right. NANAE or NANABL will
usually come up with a good explanation (albeit buried deep amongst
the insults and entirely wrong answers).
In theory, and much of the time in practise, it works acceptably well.
_If_ it's asked, and _if_ one or more of the answerers manage to
figure out the answer and _if_ the questioner is able to seperate the
wheat from the chaff (nay, buckshot ;-), fine.
But, these things fail a whole lot more than people appreciate. I'm
on lists where things like this are discussed honestly.
1) listees (especially ISPs) sometimes have no idea whatsoever why
<some IPs> are listed. Sometimes it's subtle (like a stale DNS
entry), or some connection that's not published in the SPEWS entry. I
full well believe that SPEWS listings result from unanswered
complaints. On the other hand, one can easily expect some of these
complaints going astray (for a whole host of reasons, including not
identifying the responsible
party correctly in the first place). Having a failsafe to get the right
answer is desirable.
I've seen plenty of ISPs saying "I have no idea why this is listed.
We've never got any complaints about this customer". Or, worse, when
they can't figure out what customer the listing is a result of. Yeah,
sometimes they're lying. But not always.
2) A whole host of *SPs and personnel simply refuse to have anything
to do with NANAE or NANABL. I've done my bit to try to persuade them
otherwise, including in some cases "fronting" requests and guiding
them thru the minefield. But it almost never happens.
If any of them do not have long listings at
http://www.spamhaus.org/sbl/listings.lasso?isp=isp.tld then that's
interesting, but I wonder if that's not the case. In other words, are
these ever folks to whom your 1) above applies? I guess you're saying
it is; more often than people appreciate, it does.
In any case, I'd rather not see their unreasonable fear to post in a
public place legitimized by BCP accomodation. (From what I've seen,
competent (e.g. non-threatening, speficfy an IP and SPEWS #) nana* posts
from listees not wearing black hats attract little 'buckshot'.)
3) I've seen NANAE/NANABL grasping at straws to find out the ultimate
reason for a listing, and never finding it. Or not knowing if it has
been found.
My goal in anti-spam is to block spam. To prevent spam from being
sent in the first place. To make it as easy as possible for ISPs to
clean up problems or, gasp, point out mistakes. Even escalation has a
positive role to play.
I have no problem with SPEWS' general "ask NANAE" here, as long as
there is a channel of last resort.
CBL does something like this - you can delist yourself, and it happens
within a few hours. They also have a removal limiter to refuse
delisting if the same IP is removed too often. Then you're guided to
contact the CBL directly.
I'm sure that the vast majority of CBL delistings occur without having
to go anywhere near the email address. The ones that do can't be that
high volume, because I've not had problems dealing with them by email.
And if you do deal with them by email, you still don't find out who
they are.
Pretty nifty. Still I don't see why e.g. that email address
auto-forwarding to a public place (perhaps read-only) would be wrong.
But I don't have the experience you have, so perhaps you can enlighten
me with an example of info that needs to be conveyed non-publicly. In
other words, if the listee is going to make false statements, they'd be
more comfortable doing so privately, but I can't think of a legit need
for a Direct *Non-Public* Way to Request Removal.
3. Special Rules for Blacklists Listing Insecure Machines.
From [SPEWS FAQ] A45:
Due to abuse by spammers, open email relays no longer have any place
on the Internet. Some may want to debate this, we won't.
It was 3.1's "spam in hand" requirement that prompted my comment. A
BLs policy should state whether it will list w/o "spam in hand".
Okay.
:)
Heh. Matt has run a public BL. Not for very long mind you, but
apparently a lot of people used it during that period.
Oops.
As for the gut feeling w.r.t. me, well, I think that John Levine and a
few others (besides Matt) might be persuaded to tell you that your gut
feeling is wrong, without going into details ;-)
Ok, I believe you.
E.g. I think even the CBL and SBL are not compliant with a strict
interpretation, hence some of the suggestions I've made.
If the BCP can be twisted that far by a reasonable person, it needs to
be adjusted. Thanks for your comments!
I think it's been a productive discussion! Looking forward to -01.
Thanks!
This BCP is _intended_ to be of benefit to both owners and users of
BLs. Transparency benefits BCP [you mean BL, I guess - elvey] owners
even more than users... The only reason to lessen transparency is
where necessary to prevent spammer evolution.
Maybe we have to amplify the introduction more along the above lines
to help ameliorate most of the legal concerns and make that intent
more obvious.
(I suggested some legal-issue wording for this in another post.)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|